Klaatu Recommends Nikto for Web Security

Nikto is a free, open source, command line scanning script used for testing your web server’s security. It checks for thousands of vulnerabilities and potential security weaknesses such as default files and programs, outdated servers, insecure files, server and software misconfigurations. Nikto uses a configuration file, three dozen plugins for testing and a handful of templates for reporting.

Nikto is not a weapon nor is it a remedy for damage that’s already occurred. It is an assessment tool that, when used properly, may prevent a host of potential security threats from becoming reality.

The Warning

It’s no concern of mine how you run your websites but if you receive a notice from your hosting company that your site’s lack of security threatens everyone’s service, you could face obliteration. Security is one area where an ounce of prevention is worth a pound of cure. Before you receive that notice or your site falls prey to a cyber attack, install Nikto on a remote computer and begin your assessments.

Nikto’s installation is simple and painless–no compiling required. You must have the following prerequisites to use SSL support: Net::SSLeay, openssl-perl, perl-MD5 and perl-libwhisker2. Depending on your distribution, other dependencies may exist for these packages. Some distributions package nikto as well. My CentOS 5.x system gave me an outdated version to use when I performed a yum installation.

After you’ve satisfied the prerequisites and their dependencies, grab the tarball from the CIRT website at http://cirt.net/Nikto2. Unzip, untar and you’re ready to begin your security scans.

Nikto Tests

IDS Evasion

2300+ New RFI Tests

6100+ Files and CGIs

Outdated Versions of 950+ Servers

Version-specific Problems on 260+ Servers

SSL Information

The System

Nikto isn’t perfect but it’s a system that works. If you secure your websites to the point where nikto produces minimal results, I feel confident that your risks are also minimal. Once you’ve installed Nikto, it’s time to take it for a test drive.

At a command line, enter the following command to start a simple port 80 scan on website.com (website.com is an example. Substitute your target for website.com):

The results you see are from a default Apache installation. Active site scans produce more verbose output. The -h switch means that this is the host you want to test. To see a list of all possible switches, enter ./nikto.pl at the prompt.

Note: You will likely experience a long wait between the initial header’s appearance and useful scan information. Don’t kill the process. I’ve waited as much as 15 minutes for a response. Allow Nikto to do its job.

Another useful example is to scan ports 443 and 8080 for a more comprehensive look at security vulnerabilities. You can add several ports, including port 80 (the default), if you specify ports.

I don’t have any services on ports 443 or 8080 and that’s why you see the “No web server found” notices. Some notices give you explicit information such as “Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE” and others provide little useful information: “Unauthorized Read Acces.”

Don’t ignore information you receive from these scans, investigate it. Yes, Nikto yields some false positives but they’re all worth checking into for your own security’s sake. You don’t want to go to the trouble of scanning and then ignore the information.

The Penalty

The penalty for provoking the actions of website attackers is too terrible to risk. It’s also risky to use Nikto for your own evil deeds, since Nikto isn’t as the developers put it, “designed as an overly stealthy tool.”

Web server access logs show the originating IP address of the scanning computer and that you’re using Nikto to scan for vulnerabilities. For this reason, I suggest you use Nikto to scan sites that you control and leave others alone. You don’t want an uninvited visitor warning you that your scans are perceived as an act of aggression.

You can see from this entry that Nikto doesn’t cover its tracks nor is it meant to. It is not a tool for those with malicious intent but for those who want to prevent such attacks from compromising their sites and data.

This brief introduction to Nikto and its use should give you adequate information to make you paranoid enough to download it and begin scanning those potentially unsecure websites. Nikto isn’t platform or web server specific. It responds equally well to Apache, Microsoft’s IIS and other web server software. Klaatu barada Nikto loosely translated means, “Klaatu recommends Nikto.”

Comments on "Klaatu Recommends Nikto for Web Security"

jannisj

This was actually very nice.
Definitely going to test our corporate websites with this :)

I enjoy the helpful information you provide
within your articles. I will bookmark your weblog and appearance again here frequently.
I am just quite certain I will learn a lot of new stuff on this site!

hey there and be grateful for your information – I have definitely found
something new from right here. I did however expertise several technical issues applying this website, since I
experienced to reload the web site a lot of times previous
to I could buy it to load properly. I had been wondering
in case your hosting company is OK? Not too I’m complaining, but sluggish loading instances times will often affect your placement in google and can damage your top quality
score if advertising and marketing with Adwords. Anyway I’m adding this RSS
to my email and could be aware of much much more of your respective interesting
content. Be sure you update this again soon.